1 /* $NetBSD: nsec.h,v 1.8 2025/01/26 16:25:27 christos Exp $ */ 2 3 /* 4 * Copyright (C) Internet Systems Consortium, Inc. ("ISC") 5 * 6 * SPDX-License-Identifier: MPL-2.0 7 * 8 * This Source Code Form is subject to the terms of the Mozilla Public 9 * License, v. 2.0. If a copy of the MPL was not distributed with this 10 * file, you can obtain one at https://mozilla.org/MPL/2.0/. 11 * 12 * See the COPYRIGHT file distributed with this work for additional 13 * information regarding copyright ownership. 14 */ 15 16 #pragma once 17 18 /*! \file dns/nsec.h */ 19 20 #include <stdbool.h> 21 22 #include <isc/lang.h> 23 24 #include <dns/diff.h> 25 #include <dns/name.h> 26 #include <dns/types.h> 27 28 #define DNS_NSEC_BUFFERSIZE (DNS_NAME_MAXWIRE + 8192 + 512) 29 30 ISC_LANG_BEGINDECLS 31 32 isc_result_t 33 dns_nsec_buildrdata(dns_db_t *db, dns_dbversion_t *version, dns_dbnode_t *node, 34 const dns_name_t *target, unsigned char *buffer, 35 dns_rdata_t *rdata); 36 /*%< 37 * Build the rdata of a NSEC record. 38 * 39 * Requires: 40 *\li buffer Points to a temporary buffer of at least 41 * DNS_NSEC_BUFFERSIZE bytes. 42 *\li rdata Points to an initialized dns_rdata_t. 43 * 44 * Ensures: 45 * \li *rdata Contains a valid NSEC rdata. The 'data' member refers 46 * to 'buffer'. 47 */ 48 49 isc_result_t 50 dns_nsec_build(dns_db_t *db, dns_dbversion_t *version, dns_dbnode_t *node, 51 const dns_name_t *target, dns_ttl_t ttl); 52 /*%< 53 * Build a NSEC record and add it to a database. 54 */ 55 56 bool 57 dns_nsec_typepresent(dns_rdata_t *nsec, dns_rdatatype_t type); 58 /*%< 59 * Determine if a type is marked as present in an NSEC record. 60 * 61 * Requires: 62 *\li 'nsec' points to a valid rdataset of type NSEC 63 */ 64 65 isc_result_t 66 dns_nsec_nseconly(dns_db_t *db, dns_dbversion_t *version, dns_diff_t *diff, 67 bool *answer); 68 /* 69 * Report whether the DNSKEY RRset has a NSEC only algorithm. Unknown 70 * algorithms are assumed to support NSEC3. If DNSKEY is not found, 71 * *answer is set to false, and ISC_R_NOTFOUND is returned. 72 * If 'diff' is provided, check if the NSEC only DNSKEY will be deleted. 73 * If so, and there are no other NSEC only DNSKEYs that will stay in 'db', 74 * consider the DNSKEY RRset to have no NSEC only DNSKEYs. 75 * 76 * Requires: 77 * 'answer' to be non NULL. 78 */ 79 80 unsigned int 81 dns_nsec_compressbitmap(unsigned char *map, const unsigned char *raw, 82 unsigned int max_type); 83 /*%< 84 * Convert a raw bitmap into a compressed windowed bit map. 'map' and 'raw' 85 * may overlap. 86 * 87 * Returns the length of the compressed windowed bit map. 88 */ 89 90 void 91 dns_nsec_setbit(unsigned char *array, unsigned int type, unsigned int bit); 92 /*%< 93 * Set type bit in raw 'array' to 'bit'. 94 */ 95 96 bool 97 dns_nsec_isset(const unsigned char *array, unsigned int type); 98 /*%< 99 * Test if the corresponding 'type' bit is set in 'array'. 100 */ 101 102 isc_result_t 103 dns_nsec_noexistnodata(dns_rdatatype_t type, const dns_name_t *name, 104 const dns_name_t *nsecname, dns_rdataset_t *nsecset, 105 bool *exists, bool *data, dns_name_t *wild, 106 dns_nseclog_t log, void *arg); 107 /*% 108 * Return ISC_R_SUCCESS if we can determine that the name doesn't exist 109 * or we can determine whether there is data or not at the name. 110 * If the name does not exist return the wildcard name. 111 * 112 * Return DNS_R_DNAME when the NSEC indicates that name is covered by 113 * a DNAME. 'wild' is not set in this case. 114 * 115 * Return ISC_R_IGNORE when the NSEC is not the appropriate one. 116 */ 117 118 bool 119 dns_nsec_requiredtypespresent(dns_rdataset_t *rdataset); 120 /* 121 * Return true if all the NSEC records in rdataset have both 122 * NSEC and RRSIG present. 123 * 124 * Requires: 125 * \li rdataset to be a NSEC rdataset. 126 */ 127 128 ISC_LANG_ENDDECLS 129